Trustix alert TSLSA-2005-0066 (gtk2+ lynx)
| From: | Trustix Security Advisor <tsl@trustix.org> | |
| To: | tsl-announce@lists.trustix.org | |
| Subject: | TSLSA-2005-0066 - multi | |
| Date: | Tue, 22 Nov 2005 11:54:16 +0100 |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2005-0066 Package names: gtk2+, lynx Summary: Multiple vulnerabilities Date: 2005-11-18 Affected versions: Trustix Secure Linux 2.2 Trustix Secure Linux 3.0 - -------------------------------------------------------------------------- Package description: gtk2+ The gtk+ package contains the GIMP ToolKit (GTK+), a library for creating graphical user interfaces for the X Window System. GTK+ was originally written for the GIMP (GNU Image Manipulation Program) image processing program, but is now used by several other programs as well. lynx Lynx is a text-based Web browser. Lynx does not display any images,but it does support frames, tables and most other HTML tags. Lynx's advantage over graphical browsers is its speed: Lynx starts and exits quickly and swiftly when displaying Web pages. Problem description: gtk2+ < TSL 3.0 > - SECURITY Fix: An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to execute arbitrary code when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-3186. - SECURITY Fix: Ludwig Nussel discovered an infinite-loop denial of service bug in the way gtk2 processes XPM images. An attacker could create a carefully crafted XPM file in such a way that it could cause an application linked with gtk2 to stop responding when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2975. lynx < TSL 2.2 > < TSEL 2 > - Security Fix: vade79 has reported a vulnerability in Lynx, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to unspecified configuration and input validation errors in the handling of certain URI handlers which execute local programs. This can be exploited to execute arbitrary commands via the "lynxcgi", "lynxexec", and "lynxprog" URI handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2929. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from <URI:http://http.trustix.org/pub/trustix/updates/>> <URI:ftp://ftp.trustix.org/pub/trustix/updates/>> About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: <URI:http://www.trustix.org/support/>> Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.org/TSL-SIGN-KEY>> The advisory itself is available from the errata pages at <URI:http://www.trustix.org/errata/trustix-2.2/>> and <URI:http://www.trustix.org/errata/trustix-3.0/>> or directly at <URI:http://www.trustix.org/errata/2005/0066/>> MD5sums of the packages: - -------------------------------------------------------------------------- 3148ec20cf65bd391acfec0d4005c5f4 2.2/rpms/lynx-2.8.5-4tr.i586.rpm ed624ad80038e95d709a30f2744959b4 3.0/rpms/gtk2+-2.6.7-5tr.i586.rpm bedbadce4325ee11e207e85b26ea44ed 3.0/rpms/gtk2+-devel-2.6.7-5tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDgvBVi8CEzsK9IksRAtmEAJ9+xBMZjBfz1vLSj6XLrUv9mD94BwCeLumv WPtDHlz5i+zr+p2x+pfuSTM= =1sQp -----END PGP SIGNATURE----- _______________________________________________ tsl-announce mailing list tsl-announce@lists.trustix.org http://lists.trustix.org/mailman/listinfo/tsl-announce